Salesforce DX Developer Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
How Salesforce Developer Experience (DX) Tooling Changes the Way You Work
Provide Developers Access to Salesforce DX Tools
Project Setup
Authorization
Authorize an Org Using a Browser
Authorize an Org Using the JWT Flow
Authorize an Org Using Its SFDX Authorization URL
Create a Private Key and Self-Signed Digital Certificate
Create a Connected App in Your Org
Use the Default Connected App Securely
Use an Existing Access Token
Authorization Information for an Org
Log Out of an Org
Metadata Coverage
Scratch Orgs
Sandboxes
Track Changes Between Your Project and Org
Work with Data
Development
Build and Release Your App
Unlocked Packages
Continuous Integration
Troubleshoot Salesforce DX
Limitations for Salesforce DX
PDF

Create a Connected App in Your Org

Salesforce CLI requires a connected app in the org that you're authorizing. A connected app is a framework that enables an external application, in this case Salesforce CLI, to integrate with Salesforce using APIs and standard protocols, such as OAuth. We provide a default connected app when you authorize an org with the org login web command. For extra security, you can create your own connected app in your org using Setup and configure it with the settings of your choice. You're required to create a connected app when authorizing the org with the org login jwt command.

The steps marked Required for JWT are required only if you’re creating a connected app to use with the org login jwt command. In this case you also need a file that contains a digital certificate, such as server.crt. The steps are optional if you’re creating a connected app to use with org login web.

Note

  1. Log in to your org.
  2. From Setup, enter App Manager in the Quick Find box, then select App Manager.
  3. In the top-right corner, click New Connected App.
  4. Click Create a Connected App, then click Continue.
  5. Update the basic information as needed, such as the connected app name and your email address.
  6. Select Enable OAuth Settings.
  7. For the callback URL, enter http://localhost:1717/OauthRedirect.

    If port 1717 (the default) is already in use on your local machine, specify an available one instead. Then update your sfdx-project.json file by setting the oauthLocalPort property to the new port. For example, if you set the callback URL to http://localhost:1919/OauthRedirect:

    "oauthLocalPort" : "1919"
  8. (Required for JWT) Select Use digital signatures.
  9. (Required for JWT) Click Choose File and upload file that contains your digital certificate, such as server.crt.
  10. Add these OAuth scopes:
    • Manage user data via APIs (api)
    • Manage user data via Web browsers (web)
    • Perform requests at any time (refresh_token, offline_access)
  11. Click Save, then Continue.
  12. Click Manage Consumer Details.
    If prompted, verify your identity by entering the verification code that was automatically sent to your email address.
  13. Click Copy next to Consumer Key because you need it later when you run an org login command.
  14. Click Back to Manage Connected Apps.
  15. Click Manage.
  16. Click Edit Policies.
  17. In the OAuth Policies section, for the Refresh Token Policy field, click Expire refresh token after: and enter 90 days or less.
    Setting a maximum of 90 days for the refresh token expiration is a security best practice. To continue running CLI commands against an org whose refresh tokens have expired, reauthorize it with the org login web or org login jwt command.
  18. In the Session Policies section, set Timeout Value to 15 minutes.
    Setting a timeout for access tokens is a security best practice. Salesforce CLI automatically handles an expired access token by referring to the refresh token.
  19. (Required for JWT) In the OAuth Policies section, select Admin approved users are pre-authorized for permitted users, and click OK.
  20. Click Save.
  21. (Required for JWT) Click Manage Profiles, select the profiles that are pre-authorized to use this connected app, and click Save. Similarly, click Manage Permission Sets to select the permission sets. Create permission sets if necessary.
To specify the consumer key, use the --client-id flag of the org login commands. For example, if your consumer key is 04580y4051234051 and you’re authorizing a Dev Hub org by logging into it from a browser, run this command in a terminal (macOS and Linux) or command prompt (Windows):
sf org login web --client-id 04580y4051234051 --set-default-dev-hub --alias my-hub-org

See the reference for org login web and org login jwt for more examples.